FTC Warns US Tech Companies About Weakening Privacy Features After Apple-UK Encryption Battle

Recent letters sent out by Federal Trade Commission Chairman Andrew N. Ferguson were directed to tech companies and warned against watering down privacy protections or censoring their products due to pressure by foreign governments. While the letters did not directly address the situation, the issuance shortly after the announcement of US government intervention in the Apple-UK encryption backdoor spat is likely not a matter of mere coincidental timing.

An FTC press release notes the letters went out to over a dozen major tech companies, Apple among them. The letters specifically highlighted the UK’s Investigatory Powers Act (IPA), which was used to try to compel Apple to install an encryption backdoor in iCloud, as an example of such foreign pressure. They also directly mention the UK’s Online Safety Act and the EU’s Digital Services Act as examples of tools foreign governments might use to censor speech on social media platforms.

FTC warns it could prosecute for “deceptive practices” if tech companies weaken privacy features

The FTC letters noted that the agency has some direct enforcement power in this situation. Tech companies might run afoul of the FTC Act’s Section 5 prohibitions against unfair and deceptive practices if they promise a privacy feature or level of protection that is later removed at the behest of a foreign government. In February of this year, Ferguson began his term by issuing a Section 5 “Request For Information” (RFI) to an assortment of US tech companies with social media platforms seeking to clarify how they treat user speech and whether they might “deny or degrade” service to users through methods such as “shadow banning” or reducing their algorithmic exposure.

The letters also specifically note that if tech companies promise encrypted or “secure” communications but fail to employ “reasonable” measures such as end-to-end encryption, they may also be liable for unfair or deceptive practices. While the recent Apple battle is an applicable example here, this may have also been directed specifically at Meta; the company famously saw a mass exodus of WhatsApp users in 2021 when it announced a privacy policy update that would enable data sharing with its other services, and Facebook Messenger did not start rolling out end-to-end encryption until early 2024.

The FTC letters also promise layers to enforcement if tech companies not only reduce security and privacy features due to pressure by a foreign government, but additionally fail to notify users that the change was made specifically for that reason. This element seems to specifically address the recent Apple case, in which the company was not able to make a clear public declaration of why it removed iCloud encryption features from the UK market due to the terms of the “Technical Capability Notice” issued to it under the IPA.

The letters conclude by requesting that the tech companies meet with Ferguson’s office by August 28 to affirm their obligations under US law and “ongoing privacy and security commitments” to US consumers. Footnotes in the letters cite a variety of related privacy cases, such as the Apple-UK encryption backdoor demand as well as prior cases brought by the FTC against Microsoft and Zoom among others. Other tech companies that received FTC letters include Akamai, Alphabet, Amazon, Cloudflare, Discord, GoDaddy, Signal, Snap, Slack, and X.

Trump administration appears to halt UK government march toward compromised encryption standards

While the UK retains the power to demand encryption backdoors from tech firms (and order them to keep quiet about the matter), the seeming public defeat after pressure from the Trump administration and US intelligence agencies will likely at least pause any further plans of this nature. At minimum, it seems clear that the US government will not tolerate US-based tech companies being ordered to install hardware or software backdoors; not a surprising development given a long history of snafus with similar attempts in the past, from the “Clipper Chip” debacle to the RSA firewall that was thought to be compromised by Chinese state-backed hackers who located the NSA’s secret entrance.

The development also seems to indicate that the Trump administration will continue the Biden administration’s push to make end-to-end encryption a standard feature of consumer services. The Biden FTC opened enforcement cases on both Zoom and Ring for failing to provide the adequate advertised level of security due to failure to adequately encrypt video feeds.

Though the letters appear to be prompted by the recent Apple-UK encryption battle, that matter is not completely settled as of yet. The only comment thus far has come from US intelligence director Tulsi Gabbard, with Apple and the UK government yet to directly weigh in. It remains unclear if Apple will re-introduce the Advanced Protection Program feature in the UK, which it pulled from the region in February in response to the secret order, or if it will proceed with a hearing on the matter scheduled for early 2026.